Langflow Desktop

langflow_desktop

Vendor: Langflow • 6 CVEs

CVEs (6)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2026-6543 1Langflow 1Langflow Desktop May 11, 2026 Apr 30, 2026 N/A· v4 8.8 HIGH· v3 N/A· v2 IBM Langflow Desktop 1.0.0 through 1.8.4 Langflow allows an attacker to execute arbitrary commands with the privileges of the process running Langflow. This allows reading sensitive environment variables (API keys, DB cr...Show more IBM Langflow Desktop 1.0.0 through 1.8.4 Langflow allows an attacker to execute arbitrary commands with the privileges of the process running Langflow. This allows reading sensitive environment variables (API keys, DB credentials), modifying files, or launching further attacks on the internal network.Show less
CVE-2026-3345 1Langflow 1Langflow Desktop May 11, 2026 Apr 30, 2026 N/A· v4 6.5 MEDIUM· v3 N/A· v2 IBM Langflow Desktop <=1.8.4 Langflow could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary fi...Show more IBM Langflow Desktop <=1.8.4 Langflow could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system.Show less
CVE-2026-4503 1Langflow 1Langflow Desktop May 11, 2026 Apr 30, 2026 N/A· v4 7.5 HIGH· v3 N/A· v2 IBM Langflow Desktop 1.0.0 through 1.8.4 Langflow could allow an unauthenticated user to view other users' images due to an indirect object reference through a user-controlled key.
CVE-2026-4502 1Langflow 1Langflow Desktop May 11, 2026 Apr 30, 2026 N/A· v4 6.5 MEDIUM· v3 N/A· v2 IBM Langflow Desktop 1.2.0 through 1.8.4 Langflow could allow an authenticated attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../)...Show more IBM Langflow Desktop 1.2.0 through 1.8.4 Langflow could allow an authenticated attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to write arbitrary files on the system.Show less
CVE-2026-3346 1Langflow 1Langflow Desktop May 11, 2026 Apr 30, 2026 N/A· v4 6.4 MEDIUM· v3 N/A· v2 IBM Langflow Desktop 1.6.0 through 1.8.4 Lanflow is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended f...Show more IBM Langflow Desktop 1.6.0 through 1.8.4 Lanflow is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.Show less
CVE-2026-3340 1Langflow 1Langflow Desktop May 11, 2026 Apr 30, 2026 N/A· v4 6.5 MEDIUM· v3 N/A· v2 IBM Langflow Desktop 1.0.0 through 1.8.4 IBM Langflow is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to ne...Show more IBM Langflow Desktop 1.0.0 through 1.8.4 IBM Langflow is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.Show less